Security researchers at Network Associates Laboratories have
given the thumbs-up to Microsoft's Encrypting File System (EFS), a
transparent file encryption service built into the Windows XP Professional
and .NET Server 2003 platforms.

The Redmond-based Microsoft , which has battled public
scorn for lax software security, found favor with researchers from Network
Associates Labs, which claimed the EFS encryption service to be secure.

"The findings of the Labs research and analysis indicate that the EFS
service makes a reasonable effort at providing file confidentiality and that
the components are well designed and implemented," Network Associates said
in its detailed report.

The company, which was retained by Microsoft to evaluate the security and
architecture of the EFS technology, said EFS "makes a reasonable effort at
providing file confidentiality (and) makes good attempts to clean up
resources when finished with them and to recover from system failures while
performing operations."

Noting that file integrity or authentication protection are not services EFS
provides, the Lab tests found the design of EFS made some conscious
tradeoffs between absolute security and convenience.

"These tradeoff decisions result in some edge-case scenarios," it said,
adding the edge-case scenarios weren't bugs but were results of the design
decisions and were known from the start.

The EFS, which is a key feature in Microsoft's Windows .NET, provides file
confidentiality. It also provides for multiple users to share access to an
encrypted file using their own access credentials.

The latest approval from a security researcher for a Microsoft product comes
amidst public moves by the software giant to clean up its act regarding
security. The company has promised to limit
the issuing of "critical" security warnings and change the way vulnerability
warnings are issued, particularly for non-technical end-users.

Separately, security consultants Netcraft believes a "critical" bulletin
about a security flaw in Microsoft Data Access Components (MDAC) might not
be so critical after all.

Netcraft, which tracks activity on Apache and IIS Web servers, said its own
tests show the MDAC
vulnerability affects a small percentage of ISS servers.

"Approximately 8 percent of Microsoft-IIS sites tested in 2001 had RDS open
to the public; in 2002 this has fallen to around 5 percent...Almost no
Microsoft-IIS/5.0 sites we have tested were offering RDS and the proportion
of Microsoft-IIS/4.0 sites offering RDS is fairly stable at around one in
four," Netcraft said.

Netcraft noted that a small section of the Microsoft-IIS community is likely
to use RDS, and that it is rarely enabled on public sites, meaning the
security flaw may not affect as many servers as originally believed.